MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09
SHA3-384 hash:	6ad0f69b21ec5d8915e8228a773b0b965c69d31930f05541813bb4e5b215e5d8e0fa963d838fced4f16a7b755cfb82b6
SHA1 hash:	d987334f6c1cfce74b83a9c07a93bf1dd683f1d7
MD5 hash:	8be8446589b3886dabd9c2f38ed6ce7d
humanhash:	lactose-quiet-vermont-utah
File name:	SecuriteInfo.com.Variant.Strictor.262149.9345.7407
Download:	download sample
Signature	Formbook Create hunting rule
File size:	826'368 bytes
First seen:	2022-06-15 10:47:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:fCN31TWuzpm1BOOQy+/09kCV4geAv2dLjc5NnQRq5gcINmdBQfWwWooC7Z7:f0NzU7OOQLbCiAvUINF59WEwWo97Z
Threatray	12'953 similar samples on MalwareBazaar
TLSH	T1AA057D8D66F6441BD1181671D9D6AEE017B0EC75BB12C70ABE81F9CEAE323E144123E7
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4bada9ae8cca4c8 (13 x Formbook, 6 x AgentTesla, 5 x AveMariaRAT)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/280116/

Detection(s):

SecuriteInfo.com.Variant.Strictor.262149.9345.7407.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a9b8ea8763ffd4adc7f38c/reports/e34e7fe9-6dab-43f2-8992-ecdb22513d86/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/468de047-71c3-4f2d-9ef5-778c8393b323

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1013588

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-06-15 10:43:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lemhjqc7oropn4bmhky5iihz5x733kgkfslhwdmmxljbueht7ueq._file

Verdict:

malicious

Label(s):

formbook

Formbook

4930c3f5a795efda4d972d34a905acd87d6b42ce7bd2b2652460390cb9464126

Formbook

65c3708767175b438a938b8d5d4ae52a1d0cf450a38a4298a41ae9bd73816686

Formbook

69af526dae44e6d6cd6c83d443d2129c948e7c46d099d89f48a4bbecbab61cfd

Formbook

9120ea8d13a11c171723ddc231be7217f6611b631d98a71254be079cc3e9dfe2

Formbook

9a95de1cbc2bc1bbb8b87c0ea935b9c6675ce2a712465a40cbb2f4dfb85d711f

Formbook

a52dca7952fc2f9e276a79f41db2de5dfc2f7cc77296a72534fb052e0deaf977

Formbook

ec6260e2fa3a7b5c332df32c1c44b13533a481d04add67596e632dc8898464c2

Formbook

+ 12'943 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:oi25 rat spyware stealer trojan

Link:

https://tria.ge/reports/220615-mv4qvadgam/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

Unpacked files

SH256 hash:

d9ad45bcbfe603a3be699508002edc692666abb8607437d7287797ebbb20c35c

MD5 hash:

75d51ce06fec59270a87053916934bbb

SHA1 hash:

892b1be0a0937ef4607d705b4e750b36e166e084

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/ec4b9856-89d8-4e74-bcef-5d0a6787a6d7/

Parent samples :

e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d
e3a24aa140797ba344e0e38ca85a738ce76c906f13492db3fdf982087abde342
cba6f82874cfbafe61ef0cc5491e9d11aa8aba58a4df9b3eb738ceef2da0e828
154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
4519a9d46f0391eae9853aa7bfba414b8b04a22f6dfbc6b506c9385329c187c8
ff77c6e9dc25a550d8f37600c25b0ad1069e94196cbd2372968b3ad11f47268f
d789dc89cbdaa34557abf0c25f2ae5e35208c752fdfceb0aaff7ab15a7e45220
d060c0c503a5d377c6f8df72835faad2b6172958efa655f04d3b0f074d10d1dc
9120ea8d13a11c171723ddc231be7217f6611b631d98a71254be079cc3e9dfe2
591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09

SH256 hash:

cefe87a0de015dc44dc1086458460be07edba8d9f7211c4bed8a11809d520a72

MD5 hash:

0403b7f4765e08a2f74690caf1a82990

SHA1 hash:

b0e9f69b8c337b605edecdcc3345c6f0045ee04e

Link:

https://www.unpac.me/results/ec4b9856-89d8-4e74-bcef-5d0a6787a6d7/

SH256 hash:

5e95b92999dc337f367d2c8e91e68daadbcdfc537d2d11fa2612ce68a58e8d04

MD5 hash:

e3df2dd40f0ce5dcd593a52653983ca4

SHA1 hash:

d7d895a35867dc41c8a03ab5ec3aa4e38e1a08a3

Link:

https://www.unpac.me/results/ec4b9856-89d8-4e74-bcef-5d0a6787a6d7/

SH256 hash:

00497966ee408c4c1badaac27ddc30b40062a0a0fda43f3325be40073f994e49

MD5 hash:

ba3d76e414bc64a6d69a9b0fb3644bc9

SHA1 hash:

7b1548114d038be4f3e1e74103b8a20e017bf123

Link:

https://www.unpac.me/results/ec4b9856-89d8-4e74-bcef-5d0a6787a6d7/

SH256 hash:

c86974f5d25ff403374516ac44a4d8b888d881de2dc92f400abf6a092bccd379

MD5 hash:

6482e9bcd9b470f0713e02d327a7d4b9

SHA1 hash:

526adca4404e347c3bc343bcc56bab6685f7f8da

Link:

https://www.unpac.me/results/ec4b9856-89d8-4e74-bcef-5d0a6787a6d7/

SH256 hash:

591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09

MD5 hash:

8be8446589b3886dabd9c2f38ed6ce7d

SHA1 hash:

d987334f6c1cfce74b83a9c07a93bf1dd683f1d7

Link:

https://www.unpac.me/results/ec4b9856-89d8-4e74-bcef-5d0a6787a6d7/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/591874c05f74/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/591874c05f745cf6f02c3ab1d420f9edffbda8ca2c967b0d8cbad21a10f3fd09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/280116/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample